New static IP

Discussion in 'HOWTO-Related Questions' started by mrbronz, Feb 24, 2023.

  1. remkoh

    remkoh Active Member

    Ok, so your server has one ip (and localhost),
    And Bind is listening on that ip and localhost on tcp and udp port 53.
    So Bind seems to be up and running.

    But is a private ip.
    So you then must have a router/firewall in front of your server doing nat/port forwarding.
    Check those rules. I'm almost certain that's causing your server to be unreachable.

    Assuming the IP change only affected your router's WAN and you haven't changed anything on your LAN and server.
    Otherwise it could also be a firewall issue on your server if you have one active.
    Last edited: Mar 1, 2023
  2. mrbronz

    mrbronz Member HowtoForge Supporter

    Well yes I do have router a Draytek Vigor 2765. but have changed the IP addresses on it and have set up a DMZ direct from the Public IP to the private IP, so I cannot see how the firewall will have any effect.
  3. remkoh

    remkoh Active Member

    Fair point. Nevertheless can't the outside world connect to your nameserver. Even though Bind is up and running.

    Whether or not your zone has issues the world should be able to connect.
    So if your Draytek isn't causing it then I can only think of a firewall on the server itself with incorrect or missing configuration.

    First step needs to be resolving the connecting to Bind problems.
    Only after resolving that it's possible to examen other problems you might be having with the zone.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It actually depends on your router, whether it is a home router or a commercial one. For me, I would try, port forwarding first. If it works, I will check the router's manual how to to make the same work for its DMZ i.e. without port forwarding.
  5. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi ahrasis

    Thank you for the input.

    I have tried both port forwarding and DMZ still not getting anything.

    I noted that I can ping the IP addresses that has equipment connected to them.
    Not that this helps.

    But I think it should show the IP addresses are correctly connected to some degree.

    The public traffic seems to be stopping dead as soon as it reaches my server. However, my private traffic i.e my local IP addresses are getting through and delivering my local web pages.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I mean take the server out from DMZ and keep it inside your LAN while port forwarding to it all the relevant ports as a test. If that works, you know you need to work out on how to properly setup your server in that router's DMZ.
    remkoh likes this.
  7. remkoh

    remkoh Active Member

    Indeed the best way to go.
    Delete all DMZ stuff in your router and set necessary port forwards only.
    (that's tcp and udp port 53 for dns services)

    And make sure you don't have any firewall rules that could interfere.
    (I know Draytek like the back of my hand and therefor what faulty config can do)

    If the outside world stil cannot connect to your nameserver then the problem is definitely your server.
    Some kind of misconfigured firewalling, because yesterday we established that Bind is up and running.
    Last edited: Mar 1, 2023
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    if you're just trying to confirm external dns requests make it to your servers private ip.. stop bind altogether...
    install netcat (nc) and have that listen to port 53 (udp).

    then try to connect to that using netcat on a client machine...

    depending on your router/firewall, you may even be able to try this directly from there, rather than an external client machine.. which should indicate whether or not it's a dns/port forwarding config issue.. or a config / firewall issue directly on the dns server itself.
  9. Alex Mamatuik

    Alex Mamatuik Member

    The every answer section has its own A-record for ispconfig and for another domain.
    Moreover, the authority section has the ns-records.
    In your case, it uses SOA-record.
    I think, you have to figure out primarily of what is wrong with this SOA-record and why an A-record is absent.

    For instance,
    named-based binding for
    $TTL        3600
    @       IN      SOA (
                            2021031401       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            3600 )            ; minimum, seconds
    drupal 86400      A
    mail 3600      A 3600      A
    www 3600      A 3600      AAAA       2402:1f00:8000:800:0:0:0:19d8
    www 3600      AAAA       2402:1f00:8000:800:0:0:0:19d8 3600      CAA        0 issue "" 3600      MX     10 3600      NS 3600      NS 3600      TXT        "v=spf1 mx a ~all"

    whois - is OK
     Name servers:
    but traceroute Name or service not known
    Cannot handle "host" cmdline arg `' on position 1 (argc 1)
    mrbronz likes this.
  10. mrbronz

    mrbronz Member HowtoForge Supporter

    If I wasn't confused before, I am now. Even with all that info, I don't really know what to do with it. But thank you for providing it.
    I have done a local dig using @ and the strange thing is it is returning my old IP addresses.
    I have removed the zone and recreated it. still to no avail.
    Where is it getting the IP address from locally?

    # dig @
    ; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> @
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48520
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: f31bf728e7a1a4c1b6d9c0e163ff9bee6a2fe692aa75bf0f (good)
    ;                 IN      A
    ;; ANSWER SECTION:          3600    IN      A
    ;; AUTHORITY SECTION:          3600    IN      NS          3600    IN      NS
    ;; ADDITIONAL SECTION:      3600    IN      A      3600    IN      A
    ;; Query time: 3 msec
    ;; SERVER:
    ;; WHEN: Wed Mar 01 18:39:42 GMT 2023
    ;; MSG SIZE  rcvd: 154
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That shows the name server is configured with the old IP addresses. Is that your ISPConfig name server? ISPConfig should take care of restarting or reloading name server when configuration was changed.
  12. mrbronz

    mrbronz Member HowtoForge Supporter

    Yes it is, I thought it should take care of any changes but it has not.

    I cannot figure it out.

    I have a couple of other things I will try before I give up
  13. Alex Mamatuik

    Alex Mamatuik Member

    I think, Mr. Till is laughing at us:)o_O:D

    @mrbronz , just show, please, the server-side dns-zone records (even front-end) for (?) either for
  14. mrbronz

    mrbronz Member HowtoForge Supporter

  15. mrbronz

    mrbronz Member HowtoForge Supporter

    This is how it has always been and it has worked right up to the point the IP addresses where changed
  16. Alex Mamatuik

    Alex Mamatuik Member

    it's unbelievable, how could it have been reached?

    (seems, i do know nothing)
    Anyway, - is always used as a private internet protocols (as @remkoh has already mentioned it).

    And why is also added inside of your -zone?
    How did you connect to your ISPConfig control panel earlier? What did you input inside of browser' address bar?

    Your 'named' configuration only persists as a private tunnel.

    The guys (Mr. Lehtonen and others) were right, that the problem is with your port forwarding also.
    - you should understand, how your NAT is executed.

    Oh, it's terrible, i have a lack of knowledge about this matter at all and never dealt... so sad.

    Guess, iptables should be modified.

    My cctv also works like port-forwarding with DMZ.
    ... and OpenVPN uses some similar technique to assign some private ip to your network adapter - to connect with the server, through which you exchange data with outer world.
  17. Alex Mamatuik

    Alex Mamatuik Member

    but i am really disappointed, what for do you need to use a such complicated system with the private-ip rule enabled? very confused and much tangled
  18. mrbronz

    mrbronz Member HowtoForge Supporter

    Correct I don't know much about this, nor do most people when they are starting out, It's not possible in my world to read a 100 books put them down then know everything your ever going to need.
    This is a hobby for me and I enjoy tinkering.
    The reason for domain as I was experimenting and forgot to remove that record.

    I would like to thank you guys so much for all your help and input, you have been so patient with me and it is very much appreciated
    But it seems I have completely messed this up so I have made the decision to rebuild all my servers from scratch.

    Once again many thanks for all your help.

    I may need your help in the future so watch this space

    Thank you and all the best
    Alex Mamatuik likes this.
  19. Alex Mamatuik

    Alex Mamatuik Member

    All, you need: assign ns1,ns2 either dns1,dns2 records for your chosen domain at domain' provider.
    And repeat steps from to-your-taste tutorials for Debian, Centos (my choice) or Ubuntu:
    And a simple, non optimized server would have been ready for 1-2 or 3 hours
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry to hear that you have to rebuild your server from scratch but that will be a good experience though. My guess is however the same, so if you are running the server behind a NAT router again, do try with port forwarding first, and see how it goes.

Share This Page